Terms of Service

Table of Contents

  1. Terms of Service
  2. GDPR Data Processing Addendum
  3. GDPR Standard Contractual Clauses
  4. Data Processing Addendum (DPA) and Annexes
    1. Definitions
    2. Data Protection & Processing
    3. List of Subprocessors
    4. Annex 1.A - Parties
    5. Annex 1.B - Description of Transfer

Terms of Service

Welcome to FoxyCart.com and Foxy.io. FoxyCart.com, LLC ("Foxy", "We", or "Us") provides services ("Services") to you subject to the following conditions (this "Policy"). If you visit FoxyCart.com, Foxy.io, any subdomains of those domains, or use any services provided by FoxyCart.com, LLC, you accept these conditions. Please read them carefully. These terms of service apply to all sites created by FoxyCart.com, LLC (including, but not limited to, foxy.io, *.foxy.io, *.foxy.dev, foxycart.com, admin.foxycart.com, forum.foxycart.com, wiki.foxycart.com, support.foxycart.com, and affiliate.foxycart.com). In addition, when you use any current or future FoxyCart service you also will be subject to the guidelines and conditions applicable to such service or business.

  1. NO AGREEMENT BETWEEN FOXYCART AND END-USERS. These Terms of Service apply between FoxyCart.com, LLC and its customers who use and pay for the services provided by FoxyCart.com, LLC. These Terms of Service do not apply between FoxyCart.com, LLC and the user's customers or end users. For the purposes of these terms of service, "You" shall refer to the FoxyCart.com, LLC customer ("User"), and not the user's customers ("End-users", "Your Customers").

  2. PRIVACY & DATA PROTECTION. Please review our Privacy Policy, which also governs Your visit to Foxy websites and services, to understand our practices.

    Additionally, if: (a) you are established in the European Economic Area (EEA); (b) you provide goods or services to customers in the EEA; or (c) you are otherwise subject to the requirements of the EU General Data Protection Regulation, our collection and use of personal information of any European residents is also subject to our Data Processing Addendum.

  3. ELECTRONIC COMMUNICATIONS. You consent to receive communications from us electronically. We will communicate with You by e-mail or by posting notices on this site. You agree that all agreements, notices, disclosures and other communications that we provide to You electronically satisfy any legal requirement that such communications be in writing. These include any communications regarding changes made to these Terms of Service. We may make changes to the Terms of Service at any time, upon notice to You, either through electronic communication or through a prominent notice on our site. Any further use of the site after notice of the changes to the Terms of Service constitutes acceptance of those changes.

  4. SITE ACCESS. Foxy grants You a limited license to access and make personal use of this site and not to download (other than page caching) or modify it, or any portion of it, except with express written consent of Foxy. The information provided by Foxy to You may be proprietary in nature. You agree not to share any information provided to You by or on behalf of Foxy with any third party. This license does not include any resale or commercial use of this site or its contents; any derivative use of this site or its contents; or any use of data mining, robots, or similar data gathering and extraction tools. This site or any portion of this site may not be reproduced, duplicated, copied, sold, resold, visited, or otherwise exploited for any commercial purpose without express written consent of Foxy. You may not decompile, disassemble, reverse engineer or otherwise attempt to discover any trade secret contained in Foxy.io, FoxyCart.com, or in any product, service or software provided through Foxy.io, FoxyCart.com, or other Foxy sites or services. You may not frame or utilize framing techniques to enclose any trademark, logo, or other proprietary information (including images, text, page layout, or form) of Foxy without express written consent. You may not use any meta tags or any other "hidden text" utilizing Foxy's name or trademarks without express written consent. Any unauthorized use terminates the permission or license granted by Foxy. You are granted a limited, revocable, and nonexclusive right to create a hyperlink to the homepage of Foxy.io so long as the link does not portray Foxy, its affiliates, or their products or services in a false, misleading, derogatory, or otherwise offensive matter. You may not use any logo or other proprietary graphic or trademark of Foxy or its affiliates as part of the link without our express written permission. We may make changes to the website’s content or functionality at any time in our sole discretion.

  5. USER CONTRIBUTIONS. If You submit material to Foxy via blog comments, submissions to a forum on the site, or otherwise, and unless we indicate otherwise, You grant Foxy and its affiliates a nonexclusive, royalty-free, perpetual, irrevocable right to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, and display such content throughout the world in any media for the purpose of marketing the Foxy site and services. You grant Foxy and its affiliates the right to use the name that You submit in connection with such content, if we choose. (We work hard to earn the trust of our users, so we will almost always ask permission before using customer quotes in marketing material or for any other purposes.) The foregoing notwithstanding, any use of Your personal information is subject to our Privacy Policy.

    Submitted material that is excluded from this license includes: "downloadable products" uploaded to Foxy servers; HTML, CSS, JavaScript, images and other assets used in your templates; product names, images, descriptions, and other product-specific information for the products You sell through Foxy.

    You represent and warrant that You own or otherwise control all of the rights to the content that You submit; that the content is accurate; that use of the content You supply does not violate this policy and will not cause injury to any person or entity; and that You will indemnify Foxy or its affiliates for all claims arising from content You supply.

    Foxy has the right but not the obligation to monitor and edit or remove any activity or content. Foxy takes no responsibility and assumes no liability for any content submitted by You or any third party.

  6. YOUR USE OF Foxy SERVICES. Foxy reserves the right to refuse service, terminate accounts, or remove or edit content in our sole discretion at any time. Foxy is not intended for use by children. No one under the age of 13 may use the Foxy service or websites. If you are under 18, You may use Foxy only with involvement of a parent or guardian. If you violate this policy, or authorize or help others to do so, we may suspend or terminate your use of the Services. In connection with Your use of our services, or in the course of Your interactions with Foxy, you will not sell, promote, or otherwise participate in the following:

    1. Illegal, Harmful, or Offensive Use or Content

      We may terminate your access to the Service if we find in our reasonable discretion that your activities, including by using the Service, include (i) activities that are illegal, harmful, fraudulent, or (ii) content, including merchandising or messaging on your website (“Content”) that is infringing or offensive. Prohibited activities or Content include:

      1. Illegal, Harmful or Fraudulent Activities. Any activities that are illegal, that violate the rights of others, or that may be harmful to others, our operations or reputation, including disseminating, promoting or facilitating child pornography, offering or disseminating fraudulent goods, services, schemes, or promotions, make-money-fast schemes, ponzi and pyramid schemes, multilevel marketing, phishing, or pharming, or conspiring to commit violence against persons or property.
      2. Infringing Content. Content that infringes or misappropriates the intellectual property or proprietary rights of others.
      3. Offensive Content. Content that is defamatory, obscene, abusive, invasive of privacy, or otherwise objectionable, including but not limited to hateful conduct (promoting violence, or directly attacking or threatening others on the basis of race, ethnicity, national origin, sexual orientation, gender, gender identity, religious affiliation, age, or disability), or content that depicts or promotes physical violence, including sexual violence.
      4. Harmful Content. Content or other computer technology that may damage, interfere with, surreptitiously intercept, or expropriate any system, program, or data, including viruses, Trojan horses, worms, time bombs, or cancelbots.
    2. Other Disallowed or Restricted Use or Content

      Certain types of products, services, or content ("Content") are disallowed. We may terminate your access to the Service if we find in our reasonable discretion that your use of Foxy services, or your Content, includes:

      1. Firearms, ammunition, or explosives, except Federal Firearms Licensed (FFL) dealers approved and vetted by an authorized Foxy partner. Content designed to circumvent federal, state, or local regulations or requirements is disallowed, as is content intended to aid in the creation of firearms, such as "receiver blanks", "80% lowers", and comparable products or services.
      2. Counterfeit, pirated or stolen goods; illegal gambling; food that does not comply with all applicable laws for sales to consumers; illicit drugs; registered or unregistered securities; or any other goods or services you are not authorized to sell.
      3. The sale, offer to sell, distribute, promote, facilitate, or disseminate to customers where prohibited by local or national law, statute, ordinance, or regulation: alcoholic beverages; pharmaceuticals or controlled substances; tobacco products; any other goods or services you are not authorized to sell; or any other goods or services that are prohibited by local or national law, statute, ordinance, or regulation.
      4. Acting in a manner that is defamatory, trade libelous, an invasion of privacy, unlawfully threatening, or unlawfully harassing.
      5. Providing false, inaccurate or misleading information.
      6. Sending or receive what we reasonably believe to be potentially fraudulent funds.
      7. Refusing to cooperate in an investigation or to provide confirmation of your identity or any information you provide to us.
      8. Controlling an account that is linked to another account that has engaged in any of these restricted activities.
      9. Taking any action that may cause us to lose any of the services from our internet service providers, payment processors, or other suppliers.

      The above list of prohibited or restricted content and use is not exclusive. Foxy reserves its right to terminate any account in its sole discretion at any time.

    3. Security Violations

      You may not use the Services to violate the security or integrity of any network, computer or communications system, software application, or network or computing device (each, a “System”). Prohibited activities include:

      1. Unauthorized Access. Accessing or using any System without permission, including attempting to probe, scan, or test the vulnerability of a System or to breach any security or authentication measures used by a System.
      2. Interception. Monitoring of data or traffic on a System without permission.
      3. Falsification of Origin. Forging TCP-IP packet headers, e-mail headers, or any part of a message describing its origin or route. The legitimate use of aliases and anonymous remailers is not prohibited by this provision.
    4. Network Abuse

      You may not make network connections to any users, hosts, or networks unless you have permission to communicate with them. Prohibited activities include:

      1. Monitoring or Crawling. Monitoring or crawling of a System that impairs or disrupts the System being monitored or crawled.
      2. Denial of Service (DoS). Inundating a target with communications requests so the target either cannot respond to legitimate traffic or responds so slowly that it becomes ineffective.
      3. Intentional Interference. Interfering with the proper functioning of any System, including any deliberate attempt to overload a system by mail bombing, news bombing, broadcast attacks, or flooding techniques.
      4. Operation of Certain Network Services. Operating network services like open proxies, open mail relays, or open recursive domain name servers.
      5. Avoiding System Restrictions. Using manual or electronic means to avoid any use limitations placed on a System, such as access and storage restrictions.

    Our Monitoring and Enforcement

    We reserve the right, but do not assume the obligation, to investigate any violation of this Policy or misuse of the Services. We may:

    • investigate violations of this Policy or misuse of the Services; or
    • remove, disable access to, or modify any content or resource that violates this Policy or any other agreement we have with you for use of the Services; or
    • terminate your access to the Services.

    We may report any activity that we suspect violates any law or regulation to appropriate law enforcement officials, regulators, or other appropriate third parties. Our reporting may include disclosing appropriate customer information. We also may cooperate with appropriate law enforcement agencies, regulators, or other appropriate third parties to help with the investigation and prosecution of illegal conduct by providing network and systems information related to alleged violations of this Policy.

  7. INFORMATION STORED BY Foxy. In order to complete transactions through the Foxy site, it is necessary for Foxy to store certain end-user information. Credit card information is stored in an encrypted format. Foxy's policy is not to reveal unencrypted credit card information to store owners and administrators unless You provide verification that meets with our approval that unencrypted credit card information is necessary, and corresponding verification that security considerations necessary for receiving and storing cardholder information have been met (such as PCI DSS). Foxy is not responsible for any misuse or unauthorized disclosure of credit card, bank account, or other sensitive payment information by You.

    Foxy does not guarantee the encryption of data beyond the requirements of the PCI-DSS (Payment Card Industry Data Security Standard). You agree not to create forms on the Foxy site that ask End-users for sensitive data, such as social security numbers or medical information, or to collect such information in clear-text fields, or to otherwise encourage End-users to share such data on Your website. Foxy will comply with all applicable state and federal laws with respect to notification to individuals in the event of a data breach for any reason; however, you will indemnify, defend and hold harmless Foxy for any fines, penalties, damages or losses, including attorney’s fees, incurred as a result of the breach of sensitive data submitted in violation of this Section.

  8. SERVICES DESCRIPTIONS. Foxy attempts to be as accurate as possible. However, Foxy does not warrant that descriptions of services or other content of this site is accurate, complete, reliable, current, or error-free. Foxy provides links to other sites over which Foxy has no control. Foxy is not responsible for the availability of such external sites or resources and does not endorse and is not responsible or liable for any content, advertising, products, or other materials on or available from such sites or resources.

  9. LIMITED WARRANTIES AND LIMITATION OF LIABILITY.

    Foxy represents that it has complied with all applicable requirements to be considered PCI DSS compliant and has performed the necessary steps to validate its compliance with the PCI DSS, and will maintain such compliance and responsibility for the security of cardholder data within the Foxy service. "PCI DSS" means a current version of the Payment Card Industry Data Security Standard administered by the Payment Card Industry Security Standards Council. Upon request, Foxy will provide proof of its PCI DSS compliance. Foxy will notify you within no more than seven (7) calendar days if it learns that it is no longer PCI DSS compliant, and will promptly take steps to remediate the non-compliance.

    EXCEPT AS OTHERWISE PROVIDED IN THIS SECTION 9,THIS SITE IS PROVIDED BY Foxy ON AN "AS IS" AND "AS AVAILABLE" BASIS. Foxy MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, AS TO THE OPERATION OF THIS SITE OR THE INFORMATION, CONTENT, MATERIALS, OR PRODUCTS INCLUDED ON THIS SITE. YOU EXPRESSLY AGREE THAT YOUR USE OF THIS SITE IS AT YOUR SOLE RISK. YOUR SOLE REMEDY FOR DISSATISFACTION WITH Foxy IS TO STOP USING THE SITE. Foxy RESERVES THE RIGHT TO WITHDRAW OR DELETE ANY INFORMATION FROM THIS SITE AT ANY TIME IN ITS DISCRETION.

    EXCEPT AS OTHERWISE PROVIDED IN THIS SECTION 9, TO THE FULL EXTENT PERMISSIBLE BY APPLICABLE LAW, Foxy DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ANY WARRANTIES OF NON-INFRINGEMENT, DATA ACCURACY, OR SYSTEM SECURITY, OR THOSE ARISING FROM COURSE OF DEALING, COURSE OF PERFORMANCE OR USAGE OF TRADE. Foxy DOES NOT WARRANT THAT THIS SITE, ITS SERVERS, OR E-MAIL SENT FROM Foxy ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS.

    Foxy’S LIABILITY FOR DAMAGE TO YOU OR YOUR BUSINESS ARISING FROM YOUR USE OF THE SITE, UNLESS OTHERWISE STATED IN THIS AGREEMENT, SHALL BE LIMITED TO THE AMOUNT PAID BY YOU IN THE TWELVE MONTHS PRECEDING THE ACT OR OMISSION GIVING RISE TO THE DAMAGE. TO THE EXTENT PERMITTED BY LAW, Foxy WILL NOT BE LIABLE FOR ANY OTHER DAMAGES OF ANY KIND ARISING FROM THE USE OF THIS SITE, INCLUDING, BUT NOT LIMITED TO INDIRECT, INCIDENTAL, PUNITIVE, AND CONSEQUENTIAL DAMAGES.

    You agree to defend, indemnify and hold Foxy harmless from and against any and all claims, losses, liability costs and expenses (including but not limited to attorneys' fees) arising from Your violation of these Terms of Service (including, without limitation, violation of applicable additional terms), or any third-party's rights (including, without limitation, infringement of any copyright, violation of any proprietary right and invasion of any privacy rights). These obligations will survive any termination of Your relationship with Foxy or Your use of Foxy.com.

    Certain state laws do not allow limitations on implied warranties or the exclusion or limitation of certain damages. If these laws apply to You, some or all of the above disclaimers, exclusions, or limitations may not apply to You, and You might have additional rights.

  10. CANCELLATION. You alone are responsible for proper cancellation of Your account. You may cancel your account at any time by clicking the appropriate link on your monthly email receipt. Email or phone requests to cancel Your account will not be deemed cancellation.

    Your account and all of its content may be deleted immediately upon Your cancellation.

    You can cancel at any time, but You will remain liable for all charges accrued up to that time, including full monthly charges for the month which You discontinued service. You will not be charged again.

    Foxy reserves the right to cancel an account if it is deemed (by inactivity, no communication from account owners, non-responsive website, etc.) to be inactive for 90 days or more.

  11. PAYMENT AND PRICING. Foxy reserves the right to modify its pricing schedule for new Users (not currently paying for Foxy service) at any time. Foxy reserves the right to modify its pricing schedule for existing Users with 30 days' notice. You agree to pay for services provided by Foxy according to the pricing schedule available at foxycart.com or foxy.io at the time the first payment is made. If Your payment is late for any reason, You will be given 7 days to make Your payment, after which time Your store may be deactivated and any selected payment gateways will revert to test, development, or sandbox mode. If You wish to reactivate Your store You can do so at any time, but Foxy makes no guarantees that data will be retained for deactivated stores.

    REFUNDS. Foxy will issue refunds when requested within 30 days of Your payment, provided it is clear you didn't use Foxy's services to process live transactions. At Foxy's sole discretion, Foxy may issue refunds outside of that timeframe or for other reasons.

    CHARGEBACKS. If You issue a chargeback, Foxy reserves the right to immediately suspend your account. If the chargeback is determined to be made in error, and You wish to remain using Foxy, Foxy reserves the right to add Foxy's chargeback fees to your next bill.

  12. COPYRIGHT. All content included on this site, such as text, graphics, logos, button icons, images, audio clips, digital downloads, data compilations, and software, is the property of Foxy or its content suppliers and protected by United States and international copyright laws. The compilation of all content on this site is the exclusive property of Foxy and protected by U.S. and international copyright laws. All software used on this site is the property of Foxy or its software suppliers and protected by United States and international copyright laws.

  13. TRADEMARKS. Foxy's logo and other marks indicated on our site are trademarks of FoxyCart.com, LLC, in the United States and other countries. Other Foxy graphics, logos, page headers, button icons, scripts, and service names are trademarks or trade dress of FoxyCart.com, LLC or its affiliates. Foxy's trademarks and trade dress may not be used in connection with any product or service that is not Foxy's as applicable, in any manner that is likely to cause confusion among users, or in any manner that disparages or discredits Foxy. All other trademarks not owned by Foxy that appear on this site are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Foxy.

  14. APPLICABLE LAW. By visiting Foxy.io, FoxyCart.com, or other Foxy websites or services, you agree that the laws of the State of Texas, without regard to principles of conflict of laws, will govern these Terms of Service and any dispute of any sort that might arise between you and Foxy or its affiliates.

  15. DISPUTES. Any dispute relating in any way to your visit to Foxy.io, FoxyCart.com, or other Foxy websites or services shall be submitted to confidential arbitration in Texas, except that, to the extent you have in any manner violated or threatened to violate Foxy's intellectual property rights, Foxy may seek injunctive or other appropriate relief in any state or federal court in the State of Texas, and you consent to exclusive jurisdiction and venue in such courts. Arbitration under this agreement shall be conducted under the rules then prevailing of the American Arbitration Association. The arbitrator's award shall be binding and may be entered as a judgment in any court of competent jurisdiction.

    To the fullest extent permitted by applicable law, no arbitration under this Agreement shall be joined to an arbitration involving any other party subject to this Agreement, whether through class arbitration proceedings or otherwise.

  16. SITE POLICIES, MODIFICATION, AND SEVERABILITY. Please review our other policies posted on this site. These policies also govern your visit to Foxy.io, FoxyCart.com, or other Foxy websites or services. We reserve the right to make changes to our site, policies, and these Terms of Service at any time. If any of these conditions shall be deemed invalid, void, or for any reason unenforceable, that condition shall be deemed severable and shall not affect the validity and enforceability of any remaining condition.

  17. ALL RIGHTS RESERVED. Any rights not expressly granted herein are reserved by FoxyCart.com, LLC. The failure of Foxy to exercise any right provided for herein shall not be deemed a waiver of any right hereunder.

  18. CONTACTING US. If at any time you believe that we have not followed the above policy, or would like more information, please let us know by sending an email to helpdesk@foxycart.com or by writing to us at:
    FoxyCart.com LLC
    Attn: Terms of Service
    PO Box 1505, #31921
    Austin, TX 78767
    We will make reasonable efforts to identify and correct any problem.


GDPR Standard Contractual Clauses

Transfer Controller to Processor (C2P)

SECTION I

Clause 1

Purpose and scope

  1. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
  2. The Parties:
    1. the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
    2. the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
    have agreed to these standard contractual clauses (hereinafter: “Clauses”).
  3. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
  4. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

  1. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
  2. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

  1. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
    1. Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
    2. Clause 8 - Clause 8.1(b), 8.9(a), (c), (d) and (e);
    3. Clause 9 - Clause 9(a), (c), (d) and (e);
    4. Clause 12 - Clause 12(a), (d) and (f);
    5. Clause 13;
    6. Clause 15.1(c), (d) and (e);
    7. Clause 16(e);
    8. Clause 18 - Clause 18(a) and (b).
  2. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

  1. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
  2. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
  3. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7

Docking clause

N/A

SECTION II - OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1 Instructions
  1. The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
  2. The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4 Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing
  1. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
  2. The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
  4. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

  1. the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
  2. the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
  3. the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
  4. the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance
  1. The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
  2. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
  3. The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
  4. The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
  5. The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

N/A

Clause 10

Data subject rights

  1. The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
  2. The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
  3. In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11

Redress

  1. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
  2. In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
  3. Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
    1. lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
    2. refer the dispute to the competent courts within the meaning of Clause 18.
  4. The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
  5. The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
  6. The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

  1. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
  2. The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
  3. Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
  4. The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
  5. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
  6. The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
  7. The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

N/A

SECTION III - LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

  1. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
  2. The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
    1. the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
    2. the laws and practices of the third country of destination- including those requiring the disclosure of data to public authorities or authorising access by such authorities - relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
    3. any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
  3. The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
  4. The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
  5. The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
  6. Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1 Notification
  1. The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
    1. receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
    2. becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
  2. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
  3. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authorities, whether requests have been challenged and the outcome of such challenges, etc.).
  4. The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
  5. Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
  1. The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
  2. The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
  3. The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV - FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

  1. The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
  2. In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
  3. The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
    1. the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
    2. the data importer is in substantial or persistent breach of these Clauses; or
    3. the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
    In these cases, it shall inform the competent supervisory authority such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
  4. Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
  5. Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

Clause 18

Choice of forum and jurisdiction

  1. Any dispute arising from these Clauses shall be resolved by the courts of Ireland.

UK AND SWISS ADDENDUM TO THE STANDARD CONTRACTUAL CLAUSES

  1. This Addendum amends the Standard Contractual Clauses to the extent necessary so they operate for transfers made by the data exporter to the data importer, to the extent that the UK GDPR or Swiss DPA (as defined in the Data Processing Addendum) apply to the data exporter’s processing when making that transfer.
  2. The Standard Contractual Clauses shall be amended with the following modifications:
    1. references to "Regulation (EU) 2016/679" shall be interpreted as references to the UK GDPR or Swiss DPA (as applicable);
    2. references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of the UK GDPR or Swiss DPA (as applicable);
    3. references to Regulation (EU) 2018/1725 shall be removed;
    4. references to "EU", "Union" and "Member State" shall be replaced with references to the "UK" or "Switzerland" (as applicable);
    5. Clause 13(a) and Part C of Annex II are not used and the "competent supervisory authority" shall be the United Kingdom Information Commissioner or Swiss Federal Data Protection Information Commissioner (as applicable);
    6. references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Information Commissioner" and the "courts of England and Wales" or the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland" (as applicable);
    7. in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales or Switzerland (as applicable); and
    8. to the extent the UK GDPR applies to the processing, Clause 18 shall be replaced to state: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts”; and
    9. to the extent the Swiss DPA applies to the processing, Clause 18 shall be replaced to state: “Any dispute arising from these Clauses shall be resolved by the competent courts of Switzerland. The Parties agree to submit themselves to the jurisdiction of such courts”.

Data Processing Addendum

Definitions

In this Data Processing Addendum,

  1. "Data Protection Legislation" means European Directives 95/46/EC and 2002/58/EC, and any legislation and/or regulation implementing or made pursuant to them, or which amends or replaces any of them (including the General Data Protection Regulation, Regulation (EU) 2016/679);

  2. "Data Controller", "Data Processor", "processing", "data subject", and "personal data breach" shall have the meanings given to the terms "controller", "processor", "processing", "data subject", and "personal data breach" respectively in Article 4 of the GDPR;

  3. "You", "your", and any cognate expression shall refer to the FoxyCart.com LLC User, and applies for users who are Data Controllers, Data Processors, and Data Sub-Processors;

  4. "Us", "we", "our", and any cognate expression shall refer to FoxyCart.com LLC;

  5. "Admin" shall refer to the account administration interface available to you at admin.foxycart.com, my.foxy.io, or other domains;

  6. "Personal data", "data subject", "data controller", "data processor", and "personal data breach" shall have the meaning defined in Article 4, EU Regulation 2016/679 General Data Protection Regulation ("GDPR");

  7. "Writing", and any cognate expression, means any communication effected by electronic or facsimile transmission or similar means, unless the context otherwise requires;

  8. "Account", "account configuration", and any cognate expression, means Your Foxy store's settings and configuration as configured by You or your representatives in the Foxy administration, via the Foxy API, or any other means.

Data Protection & Processing

  1. The Parties (FoxyCart.com LLC and You) agree that they shall both comply with all applicable data protection requirements set out in the Data Protection Legislation. This Data Processing Addendum shall not relieve either Party of any obligations set out in the Data Protection Legislation and does not remove or replace any of those obligations.

  2. For the purposes of the Data Protection Legislation and for this Data Processing Addendum, You are the "Data Controller" and FoxyCart.com LLC is the "Data Processor".

  3. The type(s) of personal data, the scope, nature and purpose of the processing, and the duration of the processing are set out in our Privacy Policy.

  4. The Data Controller shall ensure that it has in place all necessary consents and notices required to enable the lawful transfer of personal data to the Data Processor for the purposes described in this Agreement.

  5. The Data Processor shall, with respect to any personal data processed by it in relation to its performance of any of its obligations under this Agreement:

    1. Process the personal data only on the written instructions or account configuration of the Data Controller, unless the Data Processor is otherwise required to process such personal data by law. The Data Processor shall promptly notify the Data Controller of such processing unless prohibited from doing so by law.
    2. Ensure that it has in place suitable technical and organizational measures to protect the personal data from unauthorised or unlawful processing, accidental loss, damage or destruction. Such measures shall be proportionate to the potential harm resulting from such events, taking into account the current state of the art in technology and the cost of implementing those measures.
    3. Ensure that any and all staff with access to the personal data (whether for processing purposes or otherwise) are contractually obliged to keep that personal data confidential. And…
    4. Transfer personal data outside of the European Economic Area only when the following conditions are satisfied, and ensure that these conditions are satisfied:

      1. The Data Controller and/or the Data Processor has/have provided suitable safeguards for the transfer of personal data;
      2. Affected data subjects have enforceable rights and effective legal remedies;
      3. The Data Processor complies with its obligations under the Data Protection Legislation, providing an adequate level of protection to any and all personal data so transferred; and
      4. The Data Processor complies with all reasonable instructions given in advance by the Data Controller with respect to the processing of the personal data.
    5. Assist the Data Controller (at the Data Controller's cost and at the Data Controller's discretion), in responding to any and all requests from data subjects in ensuring its compliance with the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators.
    6. Notify the Data Controller without undue delay of a personal data breach.
    7. On the Data Controller’s written instruction, delete (or otherwise dispose of) or return all personal data and any and all copies thereof (excluding encrypted backups, logs, or other data stores mentioned in our Privacy Policy) to the Data Controller on termination of this Agreement unless it is required to retain any of the personal data by law. And…
    8. Maintain complete and accurate records of all processing activities and technical and organizational measures implemented necessary to demonstrate compliance with this Data Processing Addendum and to allow for audits by the Data Controller and/or any party designated by the Data Controller.
  6. The Data Processor shall not sub-contract any of its obligations to a sub-processor with respect to the processing of personal data under this Data Processing Addendum without the prior general consent, written consent of the Data Controller (such consent not to be unreasonably withheld), or account configuration by the Data Controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. In the event that the Data Processor appoints a sub-processor, the Data Processor shall:

    1. Enter into a written agreement with the sub-processor, which shall impose upon the sub-processor the same obligations as are imposed upon the Data Processor by this Data Processing Addendum and which shall permit both the Data Processor and the Data Controller to enforce those obligations; and
    2. Ensure that the sub-processor complies fully with its obligations under that agreement and the Data Protection Legislation.
  7. We may, at any time and with notification in our Admin, alter this Data Processing Addendum, replacing it with any applicable data processing clauses or similar terms that form part of an applicable certification scheme. Such terms shall apply when replaced by attachment to this Agreement.

Miscellaneous

  1. Conflict or Inconsistency. In the event of any conflict or inconsistency between the Terms of Service and this Addendum, or other document relating to the transactions contemplated by this Addendum, the terms and conditions set forth in this Addendum shall prevail.

  2. No Other Changes. Except as otherwise set forth in this Addendum, all terms and provisions of the Terms of Service remain unchanged and in full force and effect.

List of Subprocessors

Foxy uses certain sub-processors to assist in providing Foxy's services. A sub-processor is a third party company engaged by Foxy to process personal data (i) on behalf of Foxy Users and End-users; (ii) in accordance with Users' instructions and settings as configured in their Foxy accounts; and (iii) in strict accordance with the terms of a written contract between Foxy and the sub-processor.

Foxy may provide email notifications of changes to our Subprocessor list, but You are encouraged to use a tool to monitor changes to web pages to ensure you are notified of changes.

The below Subprocessor list includes any third-parties who may have access to Your data by utilizing our service. The type of data that the Subprocessor has access to is limited to only what is reasonably necessary to perform the service provided. The "Data Subjects" indicates whether Foxy transfers to the Subprocessor Your data, Your Customers' data, or both.

Further, while using the Services, You may configure various 3rd parties to receive Your Customers' data (such as payment processing services, shipping services, tax services, anti-fraud services, analytics services, etc.). Those third parties are not included in this Subprocessor list. You are responsible for understanding the terms and policies of any third party you configure or otherwise utilize in your use of the Services.

SubprocessorData SubjectsNature of Service ProvidedEntity Country
Amazon Web Services, Inc.You, Your CustomersInfrastructure (web servers, databases, logging, web application firewalls, content distribution, etc.)USA
Authorize.net LLCYouPayment processingUSA
Stripe, Inc; Stripe Payments Europe, Ltd; Stripe Payments Australia Pty. LtdYouPayment processingUSA, Ireland, Australia
PayPal, Inc; PayPal (Europe) LtdYouPayment processingUSA, United Kingdom
Google IncYouEmail; AnalyticsUSA
Xero LimitedYouAccountingNew Zealand
Slack Technologies, IncYouCommunicationUSA
Twilio IncYou, Your CustomersOutbound email (Sendgrid)USA
SixMix LLCYouIn-app notificationsUSA
Help Scout PBCYouHelpdeskUSA
ZohoYouEmail marketing, CRM, analyticsUSA
AddThis (Oracle America, Inc.)YouSocial media content sharingUSA

Annex 1.A: List of Parties

Data exporter:

Name: The customer, as defined in the Terms of Service and referred to as "You".
Name, address, and contact person's details: Your details as entered in Our services.
Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Your use of the Services, as defined in Our Terms of Service.
Role: Controller

Data importer:

Name: FoxyCart.com LLC
Name, address, and contact person's details: PO Box 1505, #31921, Austin, TX 78767, USA
Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Your use of the Services, as defined in Our Terms of Service.
Role: Controller

Annex 1.B: Description of Transfer

Categories of data subjects whose personal data is transferred:

"Users" includes You and others with access to Your services (such as employees, partners, contractors). "Your Customers" (or "End-users") include users or customers of your own website that enter personal data into Our Services, or that You add to Our Services via APIs or other means.

Categories of personal data transferred:

Names, emails, titles, addresses, and billing details. Product, service, donation, or other transaction information as configured by You. Additional cookies or values passed by You.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

Payment details and account numbers (such as credit or debit card numbers; bank account numbers) may be transferred, and are protected by current and acceptable PCI-DSS, at a minimum.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

One-off, except when You have configured recurring billing or other functionality within the Services such as webhooks.

Nature of the processing:

Collection, use, and storage for use with the relevant Services.

Purpose(s) of the data transfer and further processing:

Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:

  1. Providing, maintaining, and supporting the Services, in accordance with this agreement.
  2. Compliance with applicable laws.
  3. Otherwise fulfilling Our obligations.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

Foxy will retain the data for the duration of the term of the Services, and in accordance with Section 8 of the Standard Contractual Clauses.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

Foxy uses sub-processors to support its infrastructure environment, local and international providers of telecommunications and networking services, legal entities engaged in data storage and content delivery material. Personal data processed by sub-processors is processed for the purposes and duration of the relevant Foxy Services agreement.


These Terms of Service were last updated on: 2022.01.12